On 3/24/13 1:24 PM, Zehef Poto wrote:
Thank you Payam. I think I got what you mean.
In this particular case however, the X/22 route is not a customer or
anything. It is the IXP's peering LAN !
So... It means that the person requested all the IXP's members to
null-route the whole peering LAN ? How can you possibly ask for this ?
I peer with several members within this LAN. If I null-route the X/22 LAN,
we agree that my peering sessions will go down, right ?
What they're asking is for you to not carry the prefix in your
network... The devices directly attached have that route at a lower
admin distance (e.g. direct) your peering routers will therefore no have
their sessions go down. However any bgp routes you learn over the
peering fabric need to have a nexthop that is in your routing table,
that could be the peering router (nexthop self) a more specific route
for the peer router or something else.
Thanks again,
2013/3/24 Payam Chychi <pchy...@gmail.com>
Carry a route is the same as accepting a route and having it become
active, allowing traffic to traverse your network to the destination. In
this case the user is asking you to drop the route (attack traffic) at your
edge if possible and not to carry it through your network and deliver it to
the end destination(his network) because its probably saturating or causing
him performance issues.
Normally networks well have a global community string that they can tag a
route with and it will send it to null0, dropping that traffic at the edge
v.s the user withdrawing its -/24 route from the advertise table. You can
also go on the peering router and set the next hop route for the attacked
destination ip to null0 (discard) and only traffic traversing that one
router well drop the traffic (global community well handle this if you
have a multi homed network)
Local nullroute example:
"Set routing-options static route x.x.x.x/32 discard" ... Something like
this
All your doing is dropping traffic for x.x.x.x/x at your edge, most cases
its a /32 nullroute.
Google is your friend :)
Cheers,
--
Payam Chychi
Network Engineer / Security Specialist
On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote:
Hey guys,
Thank you all for the very valuable input. Actually yes, Tobias is right,
I'm having this question because of the (quoted by Tobias) e-mail we got
yesterday across several IXPs.
I just don't understand what is to "carry a route in my backbone". Am I not
supposed to know all of (or most of) the Internet routes, since I work with
tier-1 upstream providers ? As a consequence, it means I'm carrying all
these routes right ?
A "show route X/22" tells that it was advertised by an eBGP peer on one of
my edge routers, and the three other ones learnt this same route via OSPF.
This is where I'm completely confused. What am I supposed to do to "carry"
a route or not ?
Thanks again,
2013/3/24 Tobias Heister <li...@tobias-heister.de>
Hi All,
Am 24.03.2013 00:26, schrieb Jeff Wheeler:
Whoever that person is that said something about "use next-hop-self"
in this context, either you misunderstood them, or you shouldn't
listen to them anymore. That has nothing to do with looking to see if
your router knows about a route.
This sounds like the OP wants to help the cloudfare guys who send the
following mail to DECIX/AMSIX (and probably other IX) yesterday.
We're currently seeing a very large attack directed to our IP on AMS-IX
(X).
We request that all peers:
1) Don't carry this route (X/22) in your backbone. (you can set
next-hop-self, etc). It'll save other security concerns and possible free
transit you're giving away to others.
2) Filter any traffic within to the AMS-IX exchange fabric (again,
X/22), except for your point to [multi]point BGP communications.
--
Kind Regards
Tobias Heister
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
